Hot!SSL Deep Inspection broken?

Author
sw2090
Expert Member
  • Total Posts : 712
  • Scores: 50
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
2019/12/06 02:08:20 (permalink)
0

SSL Deep Inspection broken?

Hello Community,
 
I have the following constellation:
 
I have Fortigate that connects to the internet via SDWAN with two or ore isp and with Health Check enabled. Works fine so far.
I have a policy that allows clients coming from a subnet connected to the FGT to connect to the internet.
It is not limited by shaper or services but it does have utm features enabled: webfilter, urlfilter and ssl deep inspection (for to filtr https pages). This also used to work fine.
 
Until I upgraded to 5.6.11 or higher :/
from 5.6.11 on ssl deep inspection stopped working. It is still enabled but users keep getting only SSL_PROTOCOL_ERROR when they try to acces https pages.
I opened a ticket with TAC and send them my config. They said config is fine and they cannot reproduce it. Also I did a test in a non productive subnet on one Site and failed to reproduce the issue too. It worked fine here.
 
But as I turned SSL deep inspection back on for the productive subnets the clients again encountered the above issue :/
 
Does anyone have any idea or advice about what could cause this?
 
#1

5 Replies Related Threads

    boneyard
    Gold Member
    • Total Posts : 211
    • Scores: 10
    • Reward points: 0
    • Joined: 2014/07/30 11:15:18
    • Status: offline
    Re: SSL Deep Inspection broken? 2019/12/07 03:37:01 (permalink)
    0
    did you do your tests with the same client(s)? as they seem to stand out here. do they still trust the correct CA certificate? is there something else on those clients (security software that checks for SSL tampering) or in the network towards to FortiGate?
    #2
    sw2090
    Expert Member
    • Total Posts : 712
    • Scores: 50
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: SSL Deep Inspection broken? 2019/12/09 01:11:06 (permalink)
    0
    hm yes clients know our CA and trust it.
    I tested on a vm in the same subnet (but different ip range within that subnet) withoout problems.
    The only thing I still a not sure atm is if on that vm there was our antivirus suite deployed.
    #3
    sw2090
    Expert Member
    • Total Posts : 712
    • Scores: 50
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: SSL Deep Inspection broken? 2019/12/09 02:35:08 (permalink)
    0
    ok I've resteded this here on my client that has the very same av suite installed. I encountered no problems with deep inspection here s far. So seems not to be blamed on the av suite.
     
    #4
    boneyard
    Gold Member
    • Total Posts : 211
    • Scores: 10
    • Reward points: 0
    • Joined: 2014/07/30 11:15:18
    • Status: offline
    Re: SSL Deep Inspection broken? 2019/12/09 08:36:49 (permalink)
    0
    so say your clients are in subnet 10.10.0.0/16
     
    you have a firewall policy 10.10.0.0/16 to internet with SSL deep / full inspection
     
    these clients have an inspection problem
     
    if you setup a VM ware in the same 10.10.0.0/16 then it works fine?
     
    i really would recheck those clients then, because if the above is the case then the difference is in the clients, not in the FortiGate or its config.
    #5
    sw2090
    Expert Member
    • Total Posts : 712
    • Scores: 50
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: SSL Deep Inspection broken? 2019/12/10 01:13:40 (permalink)
    0
    To stay with your example, boneyard:
     
    clients are in 10.10.0.0/24
    there is a policy 10.10.0.0/24 to internet via sd-wan with webfilter and SSL Deep Inspection enabled.
    these clients have the issue I mentioned.
    For testing I now used my client here (as windows and av is the same). Let's say my client has 10.10.0.1.
    So I created a policy 10.10.0.1 to internet via sd-wan with webfilter and SSL Deep Inspetion enabled. I placed this before the above policy to have it match first (as policies are first come first serve).
    On my Client everything worked fine. I didn't encounter the above issue with Deep Inspection.
     
    I also did the same at annother side before just wth a vm instead of a physical client. Thus the vm has the same setup, it is just a virtual client for testing purposes. I did not encounter the issue there too.
     
    What now came to my mind is that this could be a 5.6.11 only issue since in the meantime I've upgraded some FGT to 6.0.7 (or now to 6.0.8). Among those is ours here where my client is connected.
    So could be that this is gone in  6.x probably. I might have to test this again when I've finished updating all FGT and the adom in Fortimanager. Before that I cannot roll out anything centrally.
    #6
    Jump to:
    © 2020 APG vNext Commercial Version 5.5